Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

3.
The Challenge
• Why can’t we be the ones to discover that a
system is compromised ?
• Before we receive a call from a 3rd party?
• How do we take a system like that one
– <insert one of your laptops here>
• And determine if it is clean or compromised?
MalwareArchaeology.com

4.
How all this started
• I worked for a gaming company that got pwned BAD by the Winnti
group
• We knew systems were infected, but how do you find what they
placed and modified on the system?
• In 2012 logging was not as good as it is now
• In 2014 logging was MUCH better – Yay CMD Line Logging 8.1/2012
• So we had to find it the old fashioned way
– Hash the files on a clean system (we built it) and compare it to a
suspect system, we had lots of suspects…
– RegShot GUI
– Painful long analysis, almost forensics
• Once we found the bad we had good tools to find it everywhere
– Splunk and BigFix are AWESOME !!!!!
MalwareArchaeology.com

5.
The Pretty Blue Blinky Lights
• We can’t all afford fancy $100k EDR endpoint
solutions
• Or fancy IR solutions
– I LOVE BigFix for IR, or equivalent
• We can’t all afford to call an IR Firm once an
incident occurs
– $350-$450/hr times X people
MalwareArchaeology.com

6.
So what are our options?
• Anti-Virus
• Next Gen Endpoint at $100k+
• Full Blown Forensics
• IR Firm at $350-$450/hr
• Detect and Respond yourself
• Proactive Hunting yourself
• Learning to do it ourselves should be our goal
MalwareArchaeology.com

7.
I think or know that one is infected
• So how do we go about investigating it?
• What kinds of things can we do to check a
system?
• We know certain things about systems
– The malwarians behave a certain way
– Many things are normal
• So let’s use what’s normal to find their bad
behavior
MalwareArchaeology.com

8.
Typical Malwarian Behavior
• They generally compromise user space first
– C:Users
• And anywhere a standard user has rights
– Whatever level a user is logged into, they have rights
to add/modify/delete stuff
• Then they go to Admin creds and space
– They own the system now
• And now east/west lateral movement is easy
• And all that APT stuff the reports talk about
MalwareArchaeology.com

9.
So how do we catch them?
• We need to focus more at Detection and Hunting
• Automate it too!
• Log management is the best option IMHO, but it can
also be costly
– There are cheaper solutions – Graylog, ELK, etc.
– But free is not (human resource) free
• Most of us have configuration management, we have
to automate patching
• Maybe we can use this?
MalwareArchaeology.com

10.
Command Line Rocks!
• We all use it
• So do many/most IR and Forensics tools
• GUI’s are bad because we cannot automate a GUI
• So command line rocks
• We can automate command line
• Which is why I recommend and use command
line solutions and tools
– If you don’t have the $$$$ solutions
MalwareArchaeology.com

11.
Command Line
• We can use logon scripts, PowerShell, PSExec,
etc.
• Configuration Management like BigFix,
Tanium, SCCM
• Pick one, something, whatever you have
• This allows you to automate command line
tools
MalwareArchaeology.com

14.
So what can we do quickly?
• Lots of python scripts, projects, tools and options
– Not really my thing, too many things to compile and tweak,
I should not have to hack together my detection and
hunting tool(s) suite
• I wanted something that allowed me to focus on what I
saw that worked
– Well configured logs
– Targeted reports by category
– Large Registry Keys
– Changes to Registry keys
– Files added to places that seem odd
– Other Interesting Artifacts
MalwareArchaeology.com

16.
I came here to show you a new tool
• It did not exist, so we created it
– Turned a collection of my scripts into a tool
• Built on everything I saw and experienced with
Winnti over 3 years, which was a LOT
• And Breach and Malware Analysis reports
• Tips from colleagues at this very conference
• And years of experience of course
• And because we may not be able to afford $$$$
MalwareArchaeology.com

17.
The Log and Malicious Discovery tool
Logging:
• ALL VERSIONS OF WINDOWS (Win 7 & up)
• Audits your system log settings and produces a report,
every time it runs
• Also shows failed items on the console
• Guides you to configure proper audit logging
• Guides you to enable what is valuable
• Compares auditing to many industry standards
– CIS, USGCB and AU standards and “Windows Logging Cheat
Sheet”
MalwareArchaeology.com

18.
There are three versions
• Free Edition
• Professional Edition
• Consulting Edition
– Just a license difference to Pro
MalwareArchaeology.com

19.
All Versions
• Collect 1-7 days of logs 7 days is about a 1GB Security Log
LOG-MD does more than just harvest logs
• Full filesystem Hash Baseline
• Full filesystem compare to a Hash Baseline
• Full system Registry Baseline
• Full system compare to Registry Baseline
• Large Registry Key discovery
• List of Autoruns (coming next release)
• List of Locked files (coming next release)
• 3 Whitelist files to reduce normal noise and events
MalwareArchaeology.com

20.
Free Edition
• Over 15 reports
• Quick Start Guide
• All reports are TXT or CSV for easy scripting and
post processing with your favorite flavor of
scripting
• Scripts I created are what became LOG-MD Pro
MalwareArchaeology.com

22.
• Interesting Artifacts report
– Null byte in registry value, Sticky Keys, etc.
– Adding more all the time
• SRUM (netflow from/to a binary)
– Win 8.1 and 10 only
• AutoRuns compare feature to show only those
Autoruns whose hashes are not in the Master
Digest or Whitelisted parameters
MalwareArchaeology.com

24.
Master-Digest
• A Hash Baseline (Hash_Baseline.txt) is a list of every
file and hash on the C: drive
• A Master Digest only lists the unique files and hashes,
and they are sorted
• Results in 33%+ less files to do compares against, so
much faster
• Speed for any disk reads is a good thing
MalwareArchaeology.com

25.
Master-Digest
• You can append files and hashes to the Master
Digest as you validate them as good
• You can feed the Master Digest any set of
SHA256 Hashes like;
– Hashsets.com (Whitehat Forensics)
– NSRL, etc.
MalwareArchaeology.com

27.
SRUM for IR and Malware Analysis
• SRUM holds 60 days of data !!!
• Updates (flushes cache to the database) in
one hour intervals or on shutdown
• How many bytes were written and read from
the system by Application/Process
MalwareArchaeology.com

28.
• LOG-MD-Pro can harvest SRUM data LIVE or
offline like traditional forensic tools
• Great for answering the questions
– Did we lose any data?
– When were we first infected?
MalwareArchaeology.com

30.
Autoruns
• We need to find the persistence
• There are typically over 1000 autoruns
• We need a way to filter down the known good
• Master-Digest to the rescue !!!
• Whitelist out binaries with parameters
• The parameters are often where the bad stuff
hides so whitelisting is the best option
• So we let you whitelist out your known good
MalwareArchaeology.com

33.
Locked Files
• If a file is locked…
• You can’t hash it
• You can’t run Sigcheck or Strings or pick your
favorite tool, you need to break the handle
first
• It sure would be nice to see a list of locked
files
• That are DIFFERENT from the norm
MalwareArchaeology.com